Open sstallion opened 4 years ago
A brief update - I think I may have sorted out a possible solution. It looks like SSL_CERT_DIR
is defined in the default conda openssl installation and points to <env>/ssl/certs/
; if the CA certificate is placed in that directory (it may need to be created first) followed by a c_rehash <env>/ssl/certs
(perl
will need to be installed), this seems to resolve the issue.
This should be fairly easy to work into a custom package with a post-link script to run c_rehash
.
If this is acceptable it might be worth documenting somewhere to save some time/frustration.
Thoughts?
Note: If you're curious what your OpenSSL environment looks like, issue:
$ python -c "import ssl; print(ssl.get_default_verify_paths())"
DefaultVerifyPaths(cafile='/vagrant/.conda/ssl/cert.pem', capath='/vagrant/.conda/ssl/certs',
openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/vagrant/.conda/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR',
openssl_capath='/vagrant/.conda/ssl/certs')
I'm currently evaluating conda for managing a large development environment and I'm running into an issue dealing with custom CA certificates. For commands installed to the environment like curl, the system cacert.pem is eschewed for those provided by the ca-certificates package. The main issue we have is many of our tools default to using OpenSSL for resolving cacerts, so it's impractical (and in some cases impossible) to provide environment variables to change which bundles are used at runtime.
There does not seem to be a way to extend ca-certificates without modifying
<env>/ssl/cacert.pem
. Is there a better way to update cacerts than modifying this file directly?Actual Behavior
Unable to verify internal resources when unmodified ca-certificates package is installed.
Expected Behavior
A method to provide additional certificates without modifying files provided by ca-certificates.
Steps to Reproduce
$ curl https://some.internal.host/
, followed by failure to verify certificate without modifying<env>/ssl/cacert.pem
.Anaconda or Miniconda version:
conda 4.8.3
Operating System:
conda info
conda list --show-channel-urls